26  DTLS Attacks & Auth

In 60 Seconds

DTLS faces UDP-specific attacks including amplification DoS, session hijacking, and cipher suite downgrade attacks. Its defenses—cookie-based handshake verification, MAC integrity checks, and sequence number tracking—are effective only when properly configured. For authentication, use pre-shared keys (PSK) for small deployments under 100 devices, and certificate-based authentication with automated PKI for enterprise-scale systems.

Key Concepts

• DTLS MITM Attack: Attack where adversary intercepts and modifies DTLS traffic; prevented by certificate validation (PKI) or out-of-band PSK distribution
• Handshake Flooding: DoS attack sending many ClientHello messages without completing handshakes to exhaust server state; mitigated by DTLS cookie exchange (stateless until cookie verified)
• Replay Attack: Attacker retransmits captured DTLS records; DTLS anti-replay window (48-bit sequence number + sliding window) drops records with previously-seen sequence numbers
• Key Exhaustion Attack: Exploiting AES-CBC IV reuse in older DTLS 1.2 implementations; fixed by using AES-GCM (AEAD) cipher suites (TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256)
• Version Downgrade Attack: Attacker intercepts ClientHello and modifies version field to force use of older, weaker TLS/DTLS version; prevented by supported_versions extension in TLS 1.3/DTLS 1.3
• Client Authentication (mTLS): Mutual TLS where the server also requests and validates a client certificate; prevents unauthorized clients from connecting to IoT backend services
• ECDSA Certificate: Elliptic Curve Digital Signature Algorithm certificate; 256-bit ECDSA provides equivalent security to 3072-bit RSA with much smaller key and signature sizes (critical for constrained devices)
• Certificate Pinning: IoT device stores the expected server certificate (or public key hash); rejects connections to any server presenting a different certificate, preventing CA-compromise attacks

26.1 Learning Objectives

By the end of this chapter, you will be able to:

• Analyze Attack Scenarios: Identify and explain amplification DoS, session hijacking, and downgrade attacks against DTLS
• Evaluate Defense Mechanisms: Explain how cookie mechanism, MAC, and finished message verification protect DTLS
• Compare Authentication Methods: Choose between PSK and certificate-based authentication based on deployment needs
• Design Secure Deployments: Apply authentication best practices for small and large-scale IoT systems

For Beginners: DTLS Attacks and Authentication

Just as a locked door protects your home, DTLS protects data traveling between IoT devices. This chapter covers common attacks that try to break that protection and the authentication methods used to verify that devices are who they claim to be. Understanding threats helps you build more secure IoT systems.

MVU: Minimum Viable Understanding

Core concept: DTLS defends against UDP-specific attacks (amplification, replay, downgrade) through cookie mechanism, sequence numbers, and handshake verification.

Why it matters: Understanding attacks helps you configure DTLS correctly—a misconfigured DTLS deployment may be worse than no security at all.

Key takeaway: Use PSK for small deployments (< 100 devices) with manual provisioning; use certificates for enterprise scale with automated PKI and revocation.

Sensor Squad: Defending Against the Bad Guys!

“DTLS faces some sneaky attacks because it runs on UDP,” warned Max the Microcontroller. “The amplification attack is the nastiest—an attacker spoofs a victim’s address and sends a tiny handshake request. The server responds with a much larger message to the victim, flooding them with traffic.”

“That is why the cookie mechanism exists,” explained Sammy the Sensor. “The server does not commit resources until the client proves it is at the claimed address by echoing back a cookie. No cookie, no handshake. It is like a bouncer checking IDs before letting someone into the club.”

“Session hijacking is another threat,” added Lila the LED. “If an attacker can inject packets into your session, they could send fake commands to your IoT devices. DTLS prevents this with MAC integrity checks—every packet has a mathematical proof that it came from the real sender.”

“For authentication, the choice is simple,” said Bella the Battery. “Small deployments under 100 devices? Use pre-shared keys—they are easy to manage. Large deployments? Use certificates with automated PKI. Never use the same key on all devices—if one gets compromised, all are compromised!”

26.2 Prerequisites

Before diving into this chapter, you should be familiar with:

• DTLS Fundamentals and Architecture: Basic DTLS concepts and properties
• DTLS Handshake Protocols: Understanding of the handshake process

26.3 DTLS Attack Scenarios and Defenses

Understanding attacks against DTLS helps appreciate its security mechanisms:

26.3.1 Attack 1: Amplification DoS

Attack Description:

Attacker sends small ClientHello (50 bytes) with spoofed source IP
Server responds with large Certificate (2000 bytes) to victim
Result: 40x amplification factor

DTLS Defense - HelloVerifyRequest (Cookie Mechanism):

DTLS Cookie Mechanism for DoS Protection

Figure 26.1: The server maintains zero state until cookie verification succeeds, preventing memory exhaustion. The cookie eliminates the amplification advantage by requiring the attacker to complete a round-trip before receiving large server messages.

Cookie Implementation:

Cookie = HMAC-SHA256(Client_IP + Client_Port + Server_Secret)

Verification:
1. Client sends ClientHello
2. Server computes cookie, sends HelloVerifyRequest
3. Client echoes cookie in second ClientHello
4. Server recomputes cookie, verifies match
5. Only then sends Certificate (large message)

Impact: Reduces amplification factor from 40x to 2x.

26.3.2 Attack 2: Session Hijacking

Attack Description:

Attacker intercepts DTLS handshake, tries to inject own messages
Goal: Establish session with server using victim's credentials

DTLS Defense - Message Authentication Code (MAC):

DTLS Message Authentication Code Protection

Figure 26.2: The MAC tag travels alongside the ciphertext. Any bit flip in the payload produces a mismatched MAC on the server side, causing the packet to be silently dropped. Modern AEAD ciphers (AES-GCM, AES-CCM) combine encryption and authentication in a single pass, eliminating the need for a separate MAC.

Result: Any tampering detected, packet rejected.

26.3.3 Attack 3: Downgrade Attack

Attack Description:

Attacker intercepts ClientHello, modifies supported cipher list
Removes strong ciphers (AES-256), forces weak cipher (DES)
Goal: Make encryption easier to crack

DTLS Defense - Finished Message Verification:

Handshake process:
1. ClientHello: Lists [AES-256-GCM, AES-128-CCM, 3DES]
2. Attacker modifies: [3DES] (removes strong ciphers)
3. ServerHello: Chooses 3DES (only option)
4. Handshake continues...
5. Finished message: Hash of ALL handshake messages
   - Client: Hash(original ClientHello + ServerHello + ...)
   - Server: Hash(modified ClientHello + ServerHello + ...)
   - Hashes don't match -> Handshake fails
   - Connection aborted

Result: Any modification to handshake messages detected.

Quick Check: DTLS Attack Defenses

26.4 Authentication Methods: PSK vs Certificates

DTLS supports two main authentication modes:

Feature	Pre-Shared Key (PSK)	X.509 Certificates
Setup Complexity	Simple	Complex (PKI needed)
Key Distribution	Out-of-band (manual)	Automated (CA)
Scalability	Poor (N^2 keys for N devices)	Excellent (each device has 1 cert)
Computation	Low (symmetric crypto only)	High (public key crypto)
Memory	Low (16-32 bytes key)	High (1-4 KB certificate)
Revocation	Manual	Automated (CRL, OCSP)
Perfect Forward Secrecy	No (unless ECDHE-PSK)	Yes (with ECDHE)
Best For	Small deployments, factory provisioning	Large deployments, enterprise

Try It: PSK vs Certificate Authentication Selector

Adjust your deployment parameters to see which DTLS authentication method fits your use case.

viewof numDevices = Inputs.range([1, 10000], {value: 50, step: 1, label: "Number of IoT devices"})

viewof avgRamKB = Inputs.range([8, 512], {value: 64, step: 8, label: "Device RAM (KB)"})

viewof hasPKI = Inputs.select(["No – we manage keys manually", "Yes – we have a CA/PKI system"], {label: "PKI infrastructure available?"})

{
  // Decision logic
  const pskThreshold = 100;
  const certRamMin = 8; // minimum KB for certificate storage (simplified)
  const hasPki = hasPKI.startsWith("Yes");
  const pskKeyCount = numDevices * (numDevices - 1); // total key-pair entries (N×(N-1))
  const certRamOK = avgRamKB >= certRamMin;

  let recommendation, reason, pskScore, certScore;

  // Scoring (higher = better fit)
  pskScore = 0;
  certScore = 0;

  if (numDevices <= pskThreshold) pskScore += 3; else certScore += 3;
  if (!hasPki) pskScore += 2; else certScore += 2;
  if (avgRamKB < 32) pskScore += 2; else certScore += 1;
  if (!certRamOK) pskScore += 2;

  if (pskScore >= certScore) {
    recommendation = "Pre-Shared Key (PSK)";
    reason = `With ${numDevices} device${numDevices > 1 ? "s" : ""} and ${avgRamKB} KB RAM${!hasPki ? " and no PKI" : ""}, PSK is the practical choice. You will manage ${numDevices} unique PSKs stored in a hub or gateway.`;
  } else {
    recommendation = "X.509 Certificates";
    reason = `With ${numDevices} device${numDevices > 1 ? "s" : ""} and your existing PKI infrastructure, certificates scale efficiently. Each device holds 1 certificate regardless of fleet size.`;
  }

  const pskMemory = 32; // bytes per PSK
  const certMemory = 2048; // bytes per certificate (typical ECDSA P-256)
  const pskTotalKB = (numDevices * pskMemory / 1024).toFixed(1);
  const certTotalKB = (numDevices * certMemory / 1024).toFixed(1);

  const color = recommendation.startsWith("Pre") ? "#16A085" : "#E67E22";

  return html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid ${color};">
    <div style="font-size: 1.1em; font-weight: bold; color: ${color}; margin-bottom: 0.5rem;">
      Recommended: ${recommendation}
    </div>
    <p style="margin: 0 0 0.75rem 0;">${reason}</p>
    <table style="width: 100%; border-collapse: collapse; font-size: 0.9em;">
      <thead>
        <tr style="background: #2C3E50; color: white;">
          <th style="padding: 6px 10px; text-align: left;">Metric</th>
          <th style="padding: 6px 10px; text-align: center;">PSK</th>
          <th style="padding: 6px 10px; text-align: center;">Certificates</th>
        </tr>
      </thead>
      <tbody>
        <tr style="background: white;">
          <td style="padding: 6px 10px;">Key material (all devices)</td>
          <td style="padding: 6px 10px; text-align: center;">${pskTotalKB} KB</td>
          <td style="padding: 6px 10px; text-align: center;">${certTotalKB} KB</td>
        </tr>
        <tr style="background: #f0f4f8;">
          <td style="padding: 6px 10px;">PKI required?</td>
          <td style="padding: 6px 10px; text-align: center;">No</td>
          <td style="padding: 6px 10px; text-align: center;">Yes</td>
        </tr>
        <tr style="background: white;">
          <td style="padding: 6px 10px;">Remote revocation</td>
          <td style="padding: 6px 10px; text-align: center;">Manual</td>
          <td style="padding: 6px 10px; text-align: center;">CRL / OCSP</td>
        </tr>
        <tr style="background: #f0f4f8;">
          <td style="padding: 6px 10px;">Perfect Forward Secrecy</td>
          <td style="padding: 6px 10px; text-align: center;">Only with ECDHE-PSK</td>
          <td style="padding: 6px 10px; text-align: center;">Yes (with ECDHE)</td>
        </tr>
      </tbody>
    </table>
  </div>`;
}

26.4.1 PSK Example: Smart Home (10 devices)

Provisioning:

Factory: Generate PSK = 0x1A2B3C4D...
        Write PSK to device EEPROM
        Print PSK on device label (or QR code)

Setup:  User scans QR code
        PSK entered into hub
        Hub stores PSK for each device

Handshake (simplified):

Client->Server: ClientHello, PSK_identity="light-bulb-01"
Server->Client: ServerHello, cipher=AES-128-CCM-PSK
[Both derive keys from PSK]
Client->Server: Finished (encrypted with derived key)
Server->Client: Finished
[Secure channel established]

Advantages:

• No certificates needed
• Fast handshake (no public key ops)
• Low memory (fits on tiny MCUs)

Disadvantages:

• Manual provisioning
• If PSK compromised, all past sessions decryptable (no PFS)
• Doesn’t scale to 1000s of devices

26.4.2 Certificate Example: Industrial IoT (1000 sensors)

Provisioning:

Factory: Generate key pair for each device
        Submit CSR to CA
        CA issues certificate
        Store cert + private key in secure element

Deployment: Device presents certificate during handshake
           Server verifies against trusted CA
           No manual PSK entry needed!

Advantages:

• Scales to millions of devices
• Certificate revocation (remove compromised devices)
• Perfect Forward Secrecy (past sessions safe even if key leaked)

Disadvantages:

• Requires PKI infrastructure
• Higher memory (certificates)
• Slower handshake (public key crypto)

26.5 Knowledge Check

Quiz: DTLS Attacks, Authentication, and Trade-offs

Common Misconception: “DTLS is just TLS over UDP”

The Misconception: Many developers assume DTLS is simply TLS running on UDP sockets without modification, leading to implementation failures and security vulnerabilities.

The Reality: DTLS required fundamental protocol redesign to handle UDP’s unreliability. Real-world impact:

2020 IoT Camera Incident (quantified):

• Vendor: Major smart camera manufacturer
• Mistake: Implemented “TLS-like” security over UDP without proper DTLS
• Missing: Cookie mechanism, sequence number tracking, handshake retransmission
• Result:
  • DoS vulnerability: 1 attacker -> 40x amplification -> took down 500 cameras
  • Replay attacks: Captured packets replayed 48 hours later still accepted
  • Connection failures: 23% handshake failure rate in lossy Wi-Fi (packets lost, no retransmit)
  • Recall cost: $2.3M for firmware updates + customer service
  • Reputation damage: 37% customer churn to competitor products

Key DTLS Adaptations Beyond “TLS on UDP”:

1. HelloVerifyRequest Cookie (not in TLS):
   • Prevents amplification DoS attacks
   • Stateless server verification
   • Without it: 40x amplification factor
2. Explicit Sequence Numbers (13-byte header vs 5-byte TLS):
   • In-band sequence tracking (UDP has no stream concept)
   • Replay protection without TCP sequence numbers
   • Without it: Replay attacks succeed
3. Handshake Retransmission (timer-based):
   • TLS relies on TCP retransmits
   • DTLS implements own timers (exponential backoff)
   • Without it: 20-30% connection failures on lossy networks
4. Message Fragmentation (handles large certificates):
   • TLS uses TCP segmentation
   • DTLS fragments at record layer
   • Without it: Handshakes fail when Certificate > MTU

Correct Understanding: DTLS is TLS’s security model redesigned for datagram transport, requiring cookie exchange, explicit sequencing, retransmission logic, and fragmentation handling.

26.6 Worked Example: DTLS Handshake Cost on a Constrained Device

Scenario: An ESP32-based environmental sensor using DTLS-PSK connects to a CoAP cloud server every 15 minutes. Calculate the energy cost of each DTLS session and determine whether session resumption is worth implementing.

Putting Numbers to It

DTLS Handshake Energy Cost Over 1 Year

An ESP32 sensor connects every 15 minutes for 1 year. Let’s calculate cumulative handshake energy:

\[ \text{Sessions per year} = \frac{365 \times 24 \times 60}{15} = 35{,}040 \text{ connections} \]

Full DTLS-PSK handshake energy (TX: 11.1 ms at 120 mA, RX: 9.6 ms at 50 mA, CPU: 28.6 ms at 80 mA):

\[ E_{\text{handshake}} = (11.1 \times 120) + (9.6 \times 50) + (28.6 \times 80) = 1{,}332 + 480 + 2{,}288 = 4{,}100 \text{ µAs} = 0.00114 \text{ mAh} \]

Over 1 year, cumulative handshake cost:

\[ E_{\text{year}} = 35{,}040 \times 0.00114 = 39.95 \text{ mAh} \]

With a 2,000 mAh battery, handshakes alone consume 2.0% of capacity. If each 15-minute data transmission costs 5 mAh (sensor reading + radio TX), total application energy is 175,200 mAh over 1 year—requiring 88 battery replacements. Session resumption reduces handshake overhead by 67%, saving approximately 27 mAh/year (equivalent to 5 fewer wake cycles).

Full DTLS-PSK handshake (measured on ESP32 at 160 MHz):

Message               Size (bytes)  TX Time    RX Time    CPU Time
ClientHello           78            3.1 ms     --         0.8 ms
HelloVerifyRequest    --            --         2.4 ms     0.3 ms
ClientHello+Cookie    110           4.4 ms     --         0.5 ms
ServerHello           85            --         3.4 ms     0.4 ms
ServerKeyExchange     48            --         1.9 ms     12.1 ms*
ServerHelloDone       5             --         0.2 ms     0.1 ms
ClientKeyExchange     48            1.9 ms     --         11.8 ms*
ChangeCipherSpec      6             0.2 ms     --         0.1 ms
Finished              37            1.5 ms     --         1.2 ms
ChangeCipherSpec      --            --         0.2 ms     0.1 ms
Finished              --            --         1.5 ms     1.2 ms

* PSK key derivation (PRF with HMAC-SHA256)

Totals:
  TX time: 11.1 ms at 120 mA = 1,332 µAs (1.332 mAs)
  RX time:  9.6 ms at  50 mA =   480 µAs (0.480 mAs)
  CPU time: 28.6 ms at  80 mA = 2,288 µAs (2.288 mAs)
  Handshake total: 4,100 µAs = 4.10 mAs = 0.00114 mAh

Session resumption (abbreviated handshake):

ClientHello+SessionID  92 bytes, TX: 3.7 ms
ServerHello+SessionID  89 bytes, RX: 3.6 ms
ChangeCipherSpec x2    12 bytes each
Finished x2            37 bytes each

Totals:
  TX time:  5.4 ms at 120 mA = 0.648 mAs
  RX time:  5.1 ms at  50 mA = 0.255 mAs
  CPU time:  3.2 ms at  80 mA = 0.256 mAs
  Resumption total: 1.16 mAs = 0.000322 mAh

Energy savings over 1 year (96 connections/day):

Full handshake every time:
  96 x 365 x 0.00114 mAh = 39.95 mAh/year

Session resumption (cache 4-hour sessions):
  First connect of 4-hour block: full handshake
  Next 15 connects: resumption
  Full handshakes/day: 6  |  Resumptions/day: 90

  (6 x 365 x 0.00114) + (90 x 365 x 0.000322) = 2.50 + 10.57 = 13.07 mAh/year

Savings: 39.95 - 13.07 = 26.88 mAh/year (67% reduction)

Memory cost of session cache:

Per cached session:
  Session ID:     32 bytes
  Master secret:  48 bytes
  Cipher suite:    2 bytes
  Compression:     1 byte
  Peer address:   16 bytes (IPv6)
  Timestamp:       4 bytes
  Total:         103 bytes

For 4 cached sessions: 412 bytes of RAM
ESP32 has 520 KB SRAM → 0.08% overhead

Decision: Session resumption saves 67% handshake energy at 0.08% RAM cost. Always implement for battery-powered DTLS devices.

Real-World Reference: The Eclipse Californium CoAP/DTLS library (used in Bosch IoT Suite) implements session resumption by default, with a configurable cache size. Their telemetry from 50,000 deployed sensors shows session resumption succeeds 89% of the time, reducing average connection setup from 280ms to 45ms.

🏷️ Label the Diagram

💻 Code Challenge

26.7 Summary

Attack Defenses:

• Amplification DoS: Cookie mechanism reduces factor from 40x to 2x
• Session Hijacking: MAC ensures integrity and authenticity
• Downgrade Attack: Finished message verifies entire handshake transcript

Authentication Choice:

• PSK: Simple, fast, low memory—use for fewer than 100 devices
• Certificates: Scalable, revocable, PFS—use for enterprise deployments

Key Considerations:

• PSK requires manual provisioning but uses 70% less memory
• Certificates provide automated PKI but require more resources
• ECDHE-PSK adds forward secrecy to PSK mode

Common Pitfalls

1. Skipping DTLS Cookie Validation for Performance

Disabling DTLS cookie exchange (ClientHello without HelloVerifyRequest) to reduce handshake latency eliminates the anti-DoS protection. An attacker can then send 10,000 spoofed ClientHello packets with random source IPs per second, consuming all server memory for half-open DTLS sessions (each consuming 1–4 KB). Enable cookie exchange on all public-facing DTLS servers; the one extra round trip (15–50 ms) is a worthwhile DoS prevention investment.

2. Using Weak PSK Values for DTLS

Pre-Shared Key DTLS security depends entirely on PSK strength. PSK values derived from device serial numbers, MAC addresses, or short numeric codes (e.g., “12345678”) can be brute-forced. PSK values must be randomly generated with at least 128 bits of entropy (32 hex characters or 22 base64 characters). Use a cryptographically secure PRNG (e.g., mbedTLS entropy source on hardware with True RNG) to generate PSKs during manufacturing.

3. Not Implementing Certificate Revocation Checking

IoT deployments using certificate-based DTLS that do not implement certificate revocation (OCSP or CRL) cannot invalidate compromised certificates. A device whose certificate was extracted by an attacker remains trusted indefinitely. Implement OCSP stapling on the server side to provide revocation status, or use short-lived certificates (7–30 day expiry) that automatically expire compromised credentials without explicit revocation infrastructure.

4. Ignoring Session Resumption Security

DTLS session resumption (abbreviated handshake using cached session parameters) reduces handshake overhead from 6–12 RTTs to 2 RTTs. However, session tickets must be encrypted with a server-side ticket encryption key that must be rotated regularly. A fixed ticket encryption key means session tickets decrypted after a server compromise reveal session keys from past connections (no forward secrecy). Rotate DTLS ticket encryption keys every 24 hours and implement ticket expiry validation.

26.8 What’s Next?

Continue your DTLS learning journey with the following chapters:

Chapter	What You Will Learn	Link
DTLS Performance and Implementation	Benchmark handshake costs, optimize session resumption, and apply best practices for production deployments	Read
DTLS Fundamentals and Architecture	Review the record layer structure, epoch handling, and sequence number design that underpin the attacks covered here	Read
DTLS Handshake Protocols	Examine the full flight-based handshake in detail, including retransmission timers and fragmentation	Read
Transport Protocol Comparison	Compare DTLS with QUIC, TLS over TCP, and CoAP to select the right protocol for your IoT use case	Read
IoT Security Threats Overview	Broaden your threat model beyond DTLS to cover the full IoT attack surface	Read
Cryptography for IoT	Deepen your understanding of the AES-GCM, ECDHE, and HMAC primitives used inside DTLS	Read